Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

ips rule

The IPS sensors use signatures to detect attacks. The FortiGate's predefined signatures cover common attacks. These signatures can be listed with the config ips rule ? command. Details about the default settings of each signature can be displayed with the get command.

If an unusual application or platform is being used, add custom signatures based on the security alerts released by the application and platform vendors. Custom signatures can be used to block or allow specific traffic and provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network environments.

Note that you can only edit custom IPS signatures (see config ips custom); config ips rule is a read-only command. Enter config ips rule ? to show all available rules.

config ips rule
    edit {name}
    # Configure IPS rules.
        set name {string}   Rule name. size[63]
        set status {disable | enable}   Enable/disable status.
        set log {disable | enable}   Enable/disable logging.
        set log-packet {disable | enable}   Enable/disable packet logging.
        set action {pass | block}   Action.
                pass   Pass or allow matching traffic.
                block  Block or drop matching traffic.
        set group {string}   Group. size[63]
        set os {string}   Vulnerable operation systems.
        set application {string}   Vulnerable applications.
        set service {string}   Vulnerable service.
        set rule-id {integer}   Rule ID. range[0-4294967295]
        set rev {integer}   Revision. range[0-4294967295]
        set date {integer}   Date. range[0-4294967295]
        config metadata
            edit {id}
            # Meta data.
                set id {integer}   ID. range[0-4294967295]
                set metaid {integer}   Meta ID. range[0-4294967295]
                set valueid {integer}   Value ID. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

Example config ips rule

This example shows how to display the current configuration of the MS.Windows.JPEG.DHT.Information.Disclosure signature.

config ips rule MS.Windows.JPEG.DHT.Information.Disclosure
(MS.Windows.JPEG.DHT.Information.Disclosure) # get
name                :  MS.Windows.JPEG.DHT.Information.Disclosure
status              :  enable
log                 :  disable
log-packet          :  disable
action              :  block
group               :  operating_system
severity : critical
location : server, client os : Windows application : IE
service : TCP, HTTP, FTP, SMTP, POP3, IMAP, NNTP rule-id : 39723 rev : 5.583 date : 1420444800

action {block | pass}

Block or pass (set by default) this signature.

application [<app1> <app2> ... ]

Application(s) that the signature scans.

location {client | server}

Type of system to be protected.

log {enable | disable}

Enable or disable logging for IPS.

log-packet {enable | disable}

Enable or disable packet logging for this signature.

os {all | other | windows | linux | bsd  | solaris | macos}

Operating system(s) that the signature protects.

protocol [<pro1> <pro2> ... ]

Protocol(s) that the signature scans.

severity {all | info | low | medium | high | critical}

Relative importance of signature, from info to critical. Log messages generated by the signature include the severity.

signature <signature>

The custom signature enclosed in single quotes. For more information, see Custom IPS and Application Control Signature Guide.

status {enable | disable}

Enable or disable the status of the signature when it is included in an IPS Sensor.

ips rule

The IPS sensors use signatures to detect attacks. The FortiGate's predefined signatures cover common attacks. These signatures can be listed with the config ips rule ? command. Details about the default settings of each signature can be displayed with the get command.

If an unusual application or platform is being used, add custom signatures based on the security alerts released by the application and platform vendors. Custom signatures can be used to block or allow specific traffic and provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network environments.

Note that you can only edit custom IPS signatures (see config ips custom); config ips rule is a read-only command. Enter config ips rule ? to show all available rules.

config ips rule
    edit {name}
    # Configure IPS rules.
        set name {string}   Rule name. size[63]
        set status {disable | enable}   Enable/disable status.
        set log {disable | enable}   Enable/disable logging.
        set log-packet {disable | enable}   Enable/disable packet logging.
        set action {pass | block}   Action.
                pass   Pass or allow matching traffic.
                block  Block or drop matching traffic.
        set group {string}   Group. size[63]
        set os {string}   Vulnerable operation systems.
        set application {string}   Vulnerable applications.
        set service {string}   Vulnerable service.
        set rule-id {integer}   Rule ID. range[0-4294967295]
        set rev {integer}   Revision. range[0-4294967295]
        set date {integer}   Date. range[0-4294967295]
        config metadata
            edit {id}
            # Meta data.
                set id {integer}   ID. range[0-4294967295]
                set metaid {integer}   Meta ID. range[0-4294967295]
                set valueid {integer}   Value ID. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

Example config ips rule

This example shows how to display the current configuration of the MS.Windows.JPEG.DHT.Information.Disclosure signature.

config ips rule MS.Windows.JPEG.DHT.Information.Disclosure
(MS.Windows.JPEG.DHT.Information.Disclosure) # get
name                :  MS.Windows.JPEG.DHT.Information.Disclosure
status              :  enable
log                 :  disable
log-packet          :  disable
action              :  block
group               :  operating_system
severity : critical
location : server, client os : Windows application : IE
service : TCP, HTTP, FTP, SMTP, POP3, IMAP, NNTP rule-id : 39723 rev : 5.583 date : 1420444800

action {block | pass}

Block or pass (set by default) this signature.

application [<app1> <app2> ... ]

Application(s) that the signature scans.

location {client | server}

Type of system to be protected.

log {enable | disable}

Enable or disable logging for IPS.

log-packet {enable | disable}

Enable or disable packet logging for this signature.

os {all | other | windows | linux | bsd  | solaris | macos}

Operating system(s) that the signature protects.

protocol [<pro1> <pro2> ... ]

Protocol(s) that the signature scans.

severity {all | info | low | medium | high | critical}

Relative importance of signature, from info to critical. Log messages generated by the signature include the severity.

signature <signature>

The custom signature enclosed in single quotes. For more information, see Custom IPS and Application Control Signature Guide.

status {enable | disable}

Enable or disable the status of the signature when it is included in an IPS Sensor.